From 80d5123674514a1459cb3b021c6c3721358e9d69 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 2 Nov 2023 17:08:10 -0400 Subject: [PATCH] add zrok-share package --- .goreleaser-linux-arm64.yml | 77 ++++++++++ .goreleaser-linux-armhf.yml | 77 ++++++++++ .goreleaser-linux.yml | 77 ++++++++++ docker/compose/zrok-private-share/compose.yml | 2 +- .../compose/zrok-public-reserved/compose.yml | 28 ++-- docker/compose/zrok-public-share/compose.yml | 2 +- .../docker-share/docker_public_share_guide.md | 4 +- etc/caddy/README.md | 21 +++ etc/caddy/multiple_upstream.Caddyfile | 26 ++-- nfpm/README.md | 4 + nfpm/zrok-enable.bash | 58 ++++++++ nfpm/zrok-share.bash | 133 ++++++++++++++++++ nfpm/zrok-share.env | 79 +++++++++++ nfpm/zrok-share.service | 17 +++ 14 files changed, 577 insertions(+), 28 deletions(-) create mode 100644 etc/caddy/README.md create mode 100644 nfpm/README.md create mode 100644 nfpm/zrok-enable.bash create mode 100644 nfpm/zrok-share.bash create mode 100644 nfpm/zrok-share.env create mode 100644 nfpm/zrok-share.service diff --git a/.goreleaser-linux-arm64.yml b/.goreleaser-linux-arm64.yml index 99cafc22..23637caa 100644 --- a/.goreleaser-linux-arm64.yml +++ b/.goreleaser-linux-arm64.yml @@ -57,3 +57,80 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired target for sharing, and run "systemctl enable --now zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + # this allows users to satisfy the requirement for jq another way, not with the package manager, e.g. + # apt install --no-recommends zrok-share + recommends: + - jq + + overrides: + # yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency + rpm: + dependencies: + - zrok + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/.goreleaser-linux-armhf.yml b/.goreleaser-linux-armhf.yml index 17526c96..afb4e052 100644 --- a/.goreleaser-linux-armhf.yml +++ b/.goreleaser-linux-armhf.yml @@ -57,3 +57,80 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired target for sharing, and run "systemctl enable --now zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + # this allows users to satisfy the requirement for jq another way, not with the package manager, e.g. + # apt install --no-recommends zrok-share + recommends: + - jq + + overrides: + # yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency + rpm: + dependencies: + - zrok + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/.goreleaser-linux.yml b/.goreleaser-linux.yml index 3a9c08cc..aa728c45 100644 --- a/.goreleaser-linux.yml +++ b/.goreleaser-linux.yml @@ -53,3 +53,80 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired target for sharing, and run "systemctl enable --now zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + # this allows users to satisfy the requirement for jq another way, not with the package manager, e.g. + # apt install --no-recommends zrok-share + recommends: + - jq + + overrides: + # yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency + rpm: + dependencies: + - zrok + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/docker/compose/zrok-private-share/compose.yml b/docker/compose/zrok-private-share/compose.yml index 77d7d38e..25ca9c76 100644 --- a/docker/compose/zrok-private-share/compose.yml +++ b/docker/compose/zrok-private-share/compose.yml @@ -32,7 +32,7 @@ services: zrok-share: image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} - command: share private --headless --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/} + command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/} depends_on: zrok-enable: condition: service_completed_successfully diff --git a/docker/compose/zrok-public-reserved/compose.yml b/docker/compose/zrok-public-reserved/compose.yml index 5f281b4f..85c50a65 100644 --- a/docker/compose/zrok-public-reserved/compose.yml +++ b/docker/compose/zrok-public-reserved/compose.yml @@ -7,7 +7,7 @@ services: - sh - -euc - | - ZROK_UPSTREAM_URL="${ZROK_BACKEND:-http://zrok-test:9090}" + ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}" ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')" mkdir -p /mnt/.zrok cat <| /mnt/.zrok/Caddyfile @@ -90,12 +90,12 @@ services: - -euc - | if [[ -s ~/.zrok/reserved.json ]]; then - ZROK_RESERVE_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" - if [[ -z "$${ZROK_RESERVE_TOKEN}" || "$${ZROK_RESERVE_TOKEN}" == null ]]; then + ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" + if [[ -z "$${ZROK_RESERVED_TOKEN}" || "$${ZROK_RESERVED_TOKEN}" == null ]]; then echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2 exit 1 - else - echo "INFO: zrok backend is already reserved: $${ZROK_RESERVE_TOKEN}" + else + echo "INFO: zrok backend is already reserved: $${ZROK_RESERVED_TOKEN}" exit 0 fi else @@ -108,7 +108,7 @@ services: ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" fi if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then - ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_BACKEND:-http://zrok-test:9090}" + ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET:-http://zrok-test:9090}" else ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile" fi @@ -138,21 +138,21 @@ services: if [[ -z "$${ZROK_PUBLIC_URLS}" || "$${ZROK_PUBLIC_URLS}" == null ]]; then echo "ERROR: frontend endpoints not defined" >&2 exit 1 - else + else echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}" fi - ZROK_RESERVE_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) - if [[ -z "$${ZROK_RESERVE_TOKEN}" && "$${ZROK_RESERVE_TOKEN}" == null ]]; then + ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "$${ZROK_RESERVED_TOKEN}" && "$${ZROK_RESERVED_TOKEN}" == null ]]; then echo "ERROR: zrok reservation token not defined" >&2 exit 1 - else - echo "INFO: zrok reservation token: $${ZROK_RESERVE_TOKEN}" + else + echo "INFO: zrok reservation token: $${ZROK_RESERVED_TOKEN}" fi - echo "INFO: running: zrok $${@} $${ZROK_RESERVE_TOKEN}" - exec zrok "$${@}" $${ZROK_RESERVE_TOKEN} + echo "INFO: running: zrok $${@} $${ZROK_RESERVED_TOKEN}" + exec zrok "$${@}" $${ZROK_RESERVED_TOKEN} fi - command: -- share reserved --headless + command: -- share reserved --headless depends_on: zrok-reserve: condition: service_completed_successfully diff --git a/docker/compose/zrok-public-share/compose.yml b/docker/compose/zrok-public-share/compose.yml index 527f0e14..110c929c 100644 --- a/docker/compose/zrok-public-share/compose.yml +++ b/docker/compose/zrok-public-share/compose.yml @@ -48,7 +48,7 @@ services: if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" fi - ZROK_CMD+=" --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/}" + ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}" echo "INFO: running: zrok $${ZROK_CMD}" exec zrok $${ZROK_CMD} depends_on: diff --git a/docs/guides/docker-share/docker_public_share_guide.md b/docs/guides/docker-share/docker_public_share_guide.md index 2b8ebe11..34bebfe6 100644 --- a/docs/guides/docker-share/docker_public_share_guide.md +++ b/docs/guides/docker-share/docker_public_share_guide.md @@ -54,10 +54,10 @@ This concludes sharing the demo web server. Read on to learn how to pivot to sha ## Proxy Any Web Server -The simplest way to share your web server is to set `ZROK_BACKEND` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares. +The simplest way to share your web server is to set `ZROK_TARGET` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares. ```bash title=".env" -ZROK_BACKEND="http://example.com:8080" +ZROK_TARGET="http://example.com:8080" ``` ## Require Authentication diff --git a/etc/caddy/README.md b/etc/caddy/README.md new file mode 100644 index 00000000..0969ea40 --- /dev/null +++ b/etc/caddy/README.md @@ -0,0 +1,21 @@ + +# Caddyfile Samples + +The Caddyfile samples in this directory are for use with `--backend-mode caddy ./my.Caddyfile` which runs an embedded +Caddy server. + +With a zrok reserved share, you have the option to permanently override the path to the Caddyfile when you run `zrok +share reserved ${ZROK_RESERVED_TOKEN} --override-endpoint new.Caddyfile`. + +The Caddyfile must have this structure because it is rendered as a Go template by zrok to bind the HTTP listener. + +```console +http:// { + bind {{ .ZrokBindAddress }} + # customize reverse_proxy, file_server, etc. +} +``` + +## Notes + +multiple_upstream.Caddyfile is bundled in the zrok-share package for Linux as an example Caddyfile. diff --git a/etc/caddy/multiple_upstream.Caddyfile b/etc/caddy/multiple_upstream.Caddyfile index 3e87dec4..6aedb30d 100644 --- a/etc/caddy/multiple_upstream.Caddyfile +++ b/etc/caddy/multiple_upstream.Caddyfile @@ -2,18 +2,24 @@ # http:// { # Bind to the zrok share - bind {{ .ZrokBindAddress }} + bind {{ .ZrokBindAddress }} # Handle paths starting with `/zrok/*` # This will also strip the `/zrok/` from the path before sending to the backend - handle_path /zrok/* { - reverse_proxy https://zrok.io { - header_up Host zrok.io - } - } + handle_path /zrok/* { + reverse_proxy https://zrok.io { + header_up Host zrok.io + } + } - # All other traffic goes to localhost:3000 - reverse_proxy /* 127.0.0.1:3000 { - header_up Host localhost:3000 - } + # serve index.html if it exists, else a file index + handle_path /zrok-static/* { + root * /var/www/html + file_server browse + } + + # All other traffic goes to localhost:3000 + reverse_proxy /* 127.0.0.1:3000 { + header_up Host localhost:3000 + } } diff --git a/nfpm/README.md b/nfpm/README.md new file mode 100644 index 00000000..e6e403cb --- /dev/null +++ b/nfpm/README.md @@ -0,0 +1,4 @@ + +# nfpm supporting files + +These files are sourced by nfpm when invoked by goreleaser to build Linux packages. diff --git a/nfpm/zrok-enable.bash b/nfpm/zrok-enable.bash new file mode 100644 index 00000000..de0546ab --- /dev/null +++ b/nfpm/zrok-enable.bash @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +# +# this script uses a zrok enable token to enable a zrok environment in $HOME/.zrok +# + +set -o errexit +set -o nounset +set -o pipefail + +BASENAME=$(basename "$0") +DEFAULT_ZROK_ENVIRONMENT_NAME="zrok-share.service on $(hostname -s)" + +if (( $# )); then + case $1 in + -h|*help) + echo -e \ + "Usage: ${BASENAME} FILENAME\n"\ + "\tFILENAME\tfile containing environment variables to set" + exit 0 + ;; + esac +fi + +# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share +if [[ -n "${STATE_DIRECTORY:-}" ]]; then + export HOME="${STATE_DIRECTORY%:*}" +else + echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\ + "dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2 + exit 1 +fi + +if [[ -s ~/.zrok/environment.json ]]; then + echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\ + "new environment." + exit 0 +fi + +if (( $# )); then + if [[ -s "$1" ]]; then + source "$1" + else + echo "ERROR: \$1="$1" is empty or not a readable file" >&2 + exit 1 + fi +else + echo "ERROR: need filename argument to read environment configuration" >&2 + exit 1 +fi + +if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then + echo "ERROR: ZROK_ENABLE_TOKEN is not defined" >&2 + exit 1 +else + zrok config set apiEndpoint "${ZROK_API_ENDPOINT:-https://api.zrok.io}" + echo "INFO: running: zrok enable ..." + exec zrok enable --headless --description "${ZROK_ENVIRONMENT_NAME:-${DEFAULT_ZROK_ENVIRONMENT_NAME}}" "${ZROK_ENABLE_TOKEN}" +fi diff --git a/nfpm/zrok-share.bash b/nfpm/zrok-share.bash new file mode 100644 index 00000000..0b55a663 --- /dev/null +++ b/nfpm/zrok-share.bash @@ -0,0 +1,133 @@ +#!/usr/bin/env bash +# +# this script shares the configured backend for a reserved share token +# + +set -o errexit +set -o nounset +set -o pipefail + +if ! command -v jq &>/dev/null; then + echo "ERROR: jq is needed but not installed" >&2 + exit 1 +fi + +# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share +export HOME="${STATE_DIRECTORY%:*}" + +if (( $# )); then + if [[ -s "$1" ]]; then + source "$1" + else + echo "ERROR: '$1' is empty or not readable" >&2 + exit 1 + fi +else + # TODO: consider defining a default environment file + # if [[ -s /opt/openziti/etc/zrok.env ]]; then + # source /opt/openziti/etc/zrok.env + # else + # echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2 + # exit 1 + # fi + echo "ERROR: need filename argument to read share configuration" >&2 + exit 1 +fi + +if [[ -s ~/.zrok/reserved.json ]]; then + ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" + if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then + echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2 + exit 1 + else + echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}" + fi +else + ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}" + [[ -n "${ZROK_TARGET:-}" ]] || { + echo "ERROR: ZROK_TARGET was not defined in /opt/openziti/etc/zrok/zrok-share.env." >&2 + exit 1 + } + [[ -n "${ZROK_BACKEND_MODE:-}" ]] || { + echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2 + ZROK_BACKEND_MODE="proxy" + } + case "${ZROK_BACKEND_MODE}" in + proxy) + if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2 + exit 1 + else + echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" + fi + ;; + caddy) + if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 + exit 1 + elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2 + exit 1 + else + echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" + fi + ;; + web|drive) + if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 + exit 1 + elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2 + exit 1 + else + echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" + fi + ;; + *) + echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\ + " ZROK_TARGET value will not validated before running." >&2 + ;; + esac + ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}" + if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then + ZROK_CMD+=" ${ZROK_SHARE_OPTS}" + fi + if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then + ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" + fi + if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then + for EMAIL in ${ZROK_OAUTH_EMAILS}; do + if ! [[ ${EMAIL} =~ @ ]]; then + echo "WARNING: '${EMAIL}' does not contain '@' so it may match more than one email domain!" >&2 + fi + ZROK_CMD+=" --oauth-email-domains ${EMAIL}" + done + fi + echo "INFO: running: zrok ${ZROK_CMD}" + zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json +fi + +if ! [[ -s ~/.zrok/reserved.json ]]; then + echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2 + exit 1 +else + ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then + echo "ERROR: frontend endpoints not defined in $(realpath ~/.zrok)/reserved.json" >&2 + exit 1 + else + echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}" + fi + ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then + echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2 + exit 1 + fi + ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_TARGET}" + ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}" + if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then + ZROK_CMD+=" ${ZROK_SHARE_OPTS}" + fi + echo "INFO: running: zrok ${ZROK_CMD}" + exec zrok ${ZROK_CMD} +fi diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env new file mode 100644 index 00000000..389e819a --- /dev/null +++ b/nfpm/zrok-share.env @@ -0,0 +1,79 @@ +# These values are sourced by the zrok-share.service. Search for "MUST" to identify the values that need to be changed. + +# +## ZROK ENVIRONMENT +# +# You MUST enable a zrok environment. You MAY set the environment enable token here, or run +# /opt/openziti/bin/zrok-enable.bash as root for an interactive prompt to avoid saving the enable token to disk. Obtain +# the enable token from the zrok console after accepting your invitation and creating a password. +# +# WARNING: changing these values has no effect if /var/lib/zrok-share/.zrok/environment.json exists. Remove that file to +# enable a new environment and /var/lib/zrok-share/.zrok/reserved.json to provision a new frontend URL for the specified +# target. +# +ZROK_ENABLE_TOKEN="" + +# +# You MAY customize the environment name that appears in the zrok console. +# +ZROK_ENVIRONMENT_NAME="" + +# set if self-hosting zrok +#ZROK_API_ENDPOINT="https://api.zrok.io" + +# +## ZROK BACKEND TARGET +# +# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY +# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend +# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with +# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL. +# +# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or +# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control. +ZROK_TARGET="" # e.g., http://127.0.0.1:3000 +ZROK_BACKEND_MODE="proxy" +# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy' +# NOTE: changing this value does not require provisioning a new frontend URL +#ZROK_INSECURE="--insecure" + +# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an +# absolute path to a directory that is readable by 'other' +#ZROK_TARGET="/var/www/html" +#ZROK_BACKEND_MODE="web" + +# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute +# path to a directory that is readable by 'other' +#ZROK_TARGET="/usr/share/doc" +#ZROK_BACKEND_MODE="drive" + +# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that +# is readable by 'other'. +#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile" +#ZROK_BACKEND_MODE="caddy" + +# DEBUG log level +# NOTE: changing this value does not require provisioning a new frontend URL +#ZROK_VERBOSE="--verbose" + +# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints +# WARNING: changing this value requires provisioning a new frontend URL +# NOTE: basic auth and oauth are mutually exclusive +ZROK_SHARE_OPTS="" + +# +## ZROK FRONTEND +# + +# you MAY set one OAuth2/OIDC provider; "google" and "github" are valid for the default instance api.zrok.io +# WARNING: changing this value requires provisioning a new frontend URL +# NOTE: basic auth and oauth are mutually exclusive +#ZROK_OAUTH_PROVIDER="google" + +# you MAY restrict access to one or more email addresses or domains; must be a space-separate list +# WARNING: changing this value requires provisioning a new frontend URL +#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com" + +# set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list +# WARNING: changing this value requires provisioning a new frontend URL +#ZROK_FRONTENDS="public" diff --git a/nfpm/zrok-share.service b/nfpm/zrok-share.service new file mode 100644 index 00000000..084a0a04 --- /dev/null +++ b/nfpm/zrok-share.service @@ -0,0 +1,17 @@ +[Unit] +Description=zrok reserved public share service +After=network-online.target + +[Service] +Type=simple +DynamicUser=yes +StateDirectory=zrok-share +UMask=0007 +Environment=PFXLOG_NO_JSON=true +ExecStartPre=/opt/openziti/bin/zrok-enable.bash /opt/openziti/etc/zrok/zrok-share.env +ExecStart=/opt/openziti/bin/zrok-share.bash /opt/openziti/etc/zrok/zrok-share.env +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target